hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix possible out-of-bounds reads in modutil_count_statements

Browse Source 
The pointer manipulation in modutil_count_statements assumed that if a
semicolon is found, it is not the last character in the buffer. It also
assumed that the buffer contained at least one readable character.
This commit is contained in:
Markus Mäkelä
2017-08-17 15:54:44 +03:00
parent f98d4c1dbf
commit fe580d272f
1 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
server/core/modutil.c
View File

@ -1018,21 +1018,25 @@ GWBUF* modutil_create_query(const char* query)
*/ */
int modutil_count_statements(GWBUF* buffer) int modutil_count_statements(GWBUF* buffer)
{ {
char* ptr = ((char*)(buffer)->start + 5); char* start = ((char*)(buffer)->start + 5);
char* ptr = start;
char* end = ((char*)(buffer)->end); char* end = ((char*)(buffer)->end);
int num = 1; int num = 1;
while (ptr < end && (ptr = strnchr_esc(ptr, ';', end - ptr))) while (ptr < end && (ptr = strnchr_esc(ptr, ';', end - ptr)))
{ {
num++; num++;
while (*ptr == ';') while (ptr < end && *ptr == ';')
{ {
ptr++; ptr++;
} }
} }
ptr = end - 1; ptr = end - 1;
while (isspace(*ptr))
if (ptr >= start && ptr < end)
{
while (ptr > start && isspace(*ptr))
{ {
ptr--; ptr--;
} }
@ -1041,6 +1045,7 @@ int modutil_count_statements(GWBUF* buffer)
{ {
num--; num--;
} }
}
return num; return num;
} }